Computer networks, and in particular Wide Area Networks (WANs) such as the Internet, provide opportunities for the misuse and abuse of communications traveling thereover. For example, two users (e.g., a human user and an enterprise server) communicating via the WAN may have their communications intercepted and/or altered. Also, it is possible for one user to misrepresent his, her, or its identity to another user.
Thus, there is a need for both privacy and authentication between users of the network communicating with one another. In other words, users should be able to rely on the fact that their transmissions will not be intercepted or altered, and that transmissions from someone purporting to be a particular user do in fact originate from that user.
In many secure communication applications, a key is required in order to perform certain cryptographic operations such as encryption, decryption, authentication, etc. The key may comprise, by way of example, a symmetric key or other secret shared by two or more entities.
One such application is in authentication tokens, such as the RSA SecurID® authentication token commercially available from RSA Security Inc. of Bedford, Mass., U.S.A. The RSA SecurID® authentication token is used to provide two-factor authentication. Authorized users are issued individually-registered tokens that generate single-use one time pass-codes (OTPs), which change based on a time code algorithm. For example, a different OTP may be generated every 60 seconds. In a given two-factor authentication session, the user is required to enter a personal identification number (PIN) plus the current OTP from his or her authentication token. This information is supplied to an authentication entity. The authentication entity may be a server or other processing device equipped with RSA ACE/Server® software, available from RSA Security Inc. The PIN and current OTP may be transmitted to the authentication entity via an encryption agent equipped with RSA ACE/Agent® software, also available from RSA Security Inc. If the PIN and current OTP are determined to be valid, the user is granted access appropriate to his or her authorization level. Thus, the OTPs are like temporary passwords that cannot be guessed by an attacker, with other than a negligible probability.
A given RSA SecurID® token typically contains one or more keys that are utilized in computing OTPs. The authentication entity performing the verification of the OTPs requires access to one or more keys associated with the token in question. Typically, such authentication entities have access to the same key or set of keys that the token uses to generate its output.